From 378a960b82725ddbc101fcaf45b2b2f9b4a89ca9 Mon Sep 17 00:00:00 2001
From: Uwe Steinmann <steinm@debian.org>
Date: Mon, 20 Apr 2026 16:23:04 +0200
Subject: [PATCH] check for valid referer uri when logging in

---
 CHANGELOG       |  1 +
 op/op.Login.php | 10 +++++-----
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index 4d19caf0a..a9a6ca483 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -4,6 +4,7 @@
 - output and check for reasonable values of upload_max_filesize, post_max_size and memory_limit
 - remove null bytes from login
 - remove null bytes from password when authenticating by ldap
+- check for valid referer uri when logging in
 
 --------------------------------------------------------------------------------
                      Changes in version 5.1.46
diff --git a/op/op.Login.php b/op/op.Login.php
index 63d05d9c8..840a881c5 100644
--- a/op/op.Login.php
+++ b/op/op.Login.php
@@ -71,15 +71,15 @@ if(isset($_REQUEST["lang"]) && strlen($_REQUEST["lang"])>0 && is_numeric(array_s
 
 $session = new Session($db);
 
-// TODO: by the PHP manual: The superglobals $_GET and $_REQUEST are already decoded.
-// Using urldecode() on an element in $_GET or $_REQUEST could have unexpected and dangerous results.
-
 $referuri = '';
 if (isset($_POST["referuri"]) && strlen($_POST["referuri"])>0) {
-	$referuri = trim(urldecode($_POST["referuri"]));
+	$referuri = trim($_POST["referuri"]);
 }
 else if (isset($_GET["referuri"]) && strlen($_GET["referuri"])>0) {
-	$referuri = trim(urldecode($_GET["referuri"]));
+	$referuri = trim($_GET["referuri"]);
+}
+if ($referuri !== '' && !preg_match('#^/[A-Za-z0-9/_\-.?=&]*$#', $referuri)) {
+	$referuri = '';
 }
 
 add_log_line();